60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<html lang="en">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<head>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<title>Chapter�3.�Name Server Configuration</title>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="Bv9ARM.ch02.html" title="Chapter�2.�BIND Resource Requirements">

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<link rel="next" href="Bv9ARM.ch04.html" title="Chapter�4.�Advanced DNS Features">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</head>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navheader">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation header">

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<tr><th colspan="3" align="center">Chapter�3.�Name Server Configuration</th></tr>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="left">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="Bv9ARM.ch02.html">Prev</a>�</td>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<th width="60%" align="center">�</th>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch04.html">Next</a>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="chapter">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h1 class="title">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="Bv9ARM.ch03"></a>Chapter�3.�Name Server Configuration</h1></div></div></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="toc">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><b>Table of Contents</b></p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dl class="toc">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><dl>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch03.html#cache_only_sample">A Caching-only Name Server</a></span></dt>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch03.html#auth_only_sample">An Authoritative-only Name Server</a></span></dt>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</dl></dd>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch03.html#load_balancing">Load Balancing</a></span></dt>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch03.html#ns_operations">Name Server Operations</a></span></dt>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><dl>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="section"><a href="Bv9ARM.ch03.html#tools">Tools for Use With the Name Server Daemon</a></span></dt>

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch03.html#signals">Signals</a></span></dt>

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews</dl></dd>

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews</dl>

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein In this chapter we provide some suggested configurations along

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein with guidelines for their use. We suggest reasonable values for

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews certain option settings.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <div class="section">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <div class="section">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="cache_only_sample"></a>A Caching-only Name Server</h3></div></div></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The following sample configuration is appropriate for a caching-only

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein name server for use by clients internal to a corporation. All

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein queries

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews from outside clients are refused using the <span class="command"><strong>allow-query</strong></span>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein option. Alternatively, the same effect could be achieved using

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein suitable

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein firewall rules.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<pre class="programlisting">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein// Two corporate subnets we wish to allow queries from.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinacl corpnets { 192.168.4.0/24; 192.168.7.0/24; };

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinoptions {

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein // Working directory

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein directory "/etc/namedb";

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein allow-query { corpnets; };

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein};

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein// Provide a reverse mapping for the loopback

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein// address 127.0.0.1

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinzone "0.0.127.in-addr.arpa" {

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein type master;

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein file "localhost.rev";

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein notify no;

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein};

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</pre>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <div class="section">

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<div class="titlepage"><div><div><h3 class="title">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="auth_only_sample"></a>An Authoritative-only Name Server</h3></div></div></div>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <p>

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews This sample configuration is for an authoritative-only server

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein that is the master server for "<code class="filename">example.com</code>"

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews and a slave for the subdomain "<code class="filename">eng.example.com</code>".

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<pre class="programlisting">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinoptions {

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein // Working directory

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews directory "/etc/namedb";

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein // Do not allow access to cache

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein allow-query-cache { none; };

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein // This is the default

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein allow-query { any; };

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews // Do not provide recursive service

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews recursion no;

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein};

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein// Provide a reverse mapping for the loopback

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein// address 127.0.0.1

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinzone "0.0.127.in-addr.arpa" {

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein type master;

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein file "localhost.rev";

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein notify no;

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein};

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein// We are the master server for example.com

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinzone "example.com" {

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein type master;

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein file "example.com.db";

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein // IP addresses of slave servers allowed to

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein // transfer example.com

71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews allow-transfer {

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein 192.168.4.14;

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein 192.168.5.53;

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein };

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein};

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein// We are a slave server for eng.example.com

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinzone "eng.example.com" {

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein type slave;

file "eng.example.com.bk";

// IP address of eng.example.com master server

masters { 192.168.4.12; };

};

</pre>

</div>

</div>

<div class="section">

<div class="titlepage"><div><div><h2 class="title" style="clear: both">

<a name="load_balancing"></a>Load Balancing</h2></div></div></div>

<p>

A primitive form of load balancing can be achieved in

the <acronym class="acronym">DNS</acronym> by using multiple records

(such as multiple A records) for one name.

</p>

<p>

For example, if you have three WWW servers with network addresses

of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the

following means that clients will connect to each machine one third

of the time:

</p>

<div class="informaltable">

<table border="1">

<colgroup>

<col width="0.875in" class="1">

<col width="0.500in" class="2">

<col width="0.750in" class="3">

<col width="0.750in" class="4">

<col width="2.028in" class="5">

</colgroup>

<tbody>

<tr>

<td>

<p>

Name

</p>

</td>

<td>

<p>

TTL

</p>

</td>

<td>

<p>

CLASS

</p>

</td>

<td>

<p>

TYPE

</p>

</td>

<td>

<p>

Resource Record (RR) Data

</p>

</td>

</tr>

<tr>

<td>

<p>

<code class="literal">www</code>

</p>

</td>

<td>

<p>

<code class="literal">600</code>

</p>

</td>

<td>

<p>

<code class="literal">IN</code>

</p>

</td>

<td>

<p>

<code class="literal">A</code>

</p>

</td>

<td>

<p>

<code class="literal">10.0.0.1</code>

</p>

</td>

</tr>

<tr>

<td>

<p></p>

</td>

<td>

<p>

<code class="literal">600</code>

</p>

</td>

<td>

<p>

<code class="literal">IN</code>

</p>

</td>

<td>

<p>

<code class="literal">A</code>

</p>

</td>

<td>

<p>

<code class="literal">10.0.0.2</code>

</p>

</td>

</tr>

<tr>

<td>

<p></p>

</td>

<td>

<p>

<code class="literal">600</code>

</p>

</td>

<td>

<p>

<code class="literal">IN</code>

</p>

</td>

<td>

<p>

<code class="literal">A</code>

</p>

</td>

<td>

<p>

<code class="literal">10.0.0.3</code>

</p>

</td>

</tr>

</tbody>

</table>

</div>

<p>

When a resolver queries for these records, <acronym class="acronym">BIND</acronym> will rotate

them and respond to the query with the records in a different

order. In the example above, clients will randomly receive

records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients

will use the first record returned and discard the rest.

</p>

<p>

For more detail on ordering responses, check the

<span class="command"><strong>rrset-order</strong></span> sub-statement in the

<span class="command"><strong>options</strong></span> statement, see

<a class="xref" href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">RRset Ordering</a>.

</p>

</div>

<div class="section">

<div class="titlepage"><div><div><h2 class="title" style="clear: both">

<a name="ns_operations"></a>Name Server Operations</h2></div></div></div>

<div class="section">

<div class="titlepage"><div><div><h3 class="title">

<a name="tools"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>

<p>

This section describes several indispensable diagnostic,

administrative and monitoring tools available to the system

administrator for controlling and debugging the name server

daemon.

</p>

<div class="section">

<div class="titlepage"><div><div><h4 class="title">

<a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div>

<p>

The <span class="command"><strong>dig</strong></span>, <span class="command"><strong>host</strong></span>, and

<span class="command"><strong>nslookup</strong></span> programs are all command

line tools

for manually querying name servers. They differ in style and

output format.

</p>

<div class="variablelist"><dl class="variablelist">

<dt><span class="term"><a name="dig"></a><span class="command"><strong>dig</strong></span></span></dt>

<dd>

<p>

<span class="command"><strong>dig</strong></span>

is the most versatile and complete of these lookup tools.

It has two modes: simple interactive

mode for a single query, and batch mode which executes a

query for

each in a list of several query lines. All query options are

accessible

from the command line.

</p>

<div class="cmdsynopsis"><p>

<code class="command">dig</code>

[@<em class="replaceable"><code>server</code></em>]

<em class="replaceable"><code>domain</code></em>

[<em class="replaceable"><code>query-type</code></em>]

[<em class="replaceable"><code>query-class</code></em>]

[+<em class="replaceable"><code>query-option</code></em>]

[-<em class="replaceable"><code>dig-option</code></em>]

[%<em class="replaceable"><code>comment</code></em>]

</p></div>

<p>

The usual simple use of <span class="command"><strong>dig</strong></span> will take the form

</p>

<p class="simpara">

<span class="command"><strong>dig @server domain query-type query-class</strong></span>

</p>

<p>

For more information and a list of available commands and

options, see the <span class="command"><strong>dig</strong></span> man

page.

</p>

</dd>

<dt><span class="term"><span class="command"><strong>host</strong></span></span></dt>

<dd>

<p>

The <span class="command"><strong>host</strong></span> utility emphasizes

simplicity

and ease of use. By default, it converts

between host names and Internet addresses, but its

functionality

can be extended with the use of options.

</p>

<div class="cmdsynopsis"><p>

<code class="command">host</code>

[-aCdlnrsTwv]

[-c <em class="replaceable"><code>class</code></em>]

[-N <em class="replaceable"><code>ndots</code></em>]

[-t <em class="replaceable"><code>type</code></em>]

[-W <em class="replaceable"><code>timeout</code></em>]

[-R <em class="replaceable"><code>retries</code></em>]

[-m <em class="replaceable"><code>flag</code></em>]

[-4]

[-6]

<em class="replaceable"><code>hostname</code></em>

[<em class="replaceable"><code>server</code></em>]

</p></div>

<p>

For more information and a list of available commands and

options, see the <span class="command"><strong>host</strong></span> man

page.

</p>

</dd>

<dt><span class="term"><span class="command"><strong>nslookup</strong></span></span></dt>

<dd>

<p><span class="command"><strong>nslookup</strong></span>

has two modes: interactive and

non-interactive. Interactive mode allows the user to

query name servers for information about various

hosts and domains or to print a list of hosts in a

domain. Non-interactive mode is used to print just

the name and requested information for a host or

domain.

</p>

<div class="cmdsynopsis"><p>

<code class="command">nslookup</code>

[-option...]

[

[<em class="replaceable"><code>host-to-find</code></em>]

| [- [server]]

]

</p></div>

<p>

Interactive mode is entered when no arguments are given (the

default name server will be used) or when the first argument

is a

hyphen (`-') and the second argument is the host name or

Internet address

of a name server.

</p>

<p>

Non-interactive mode is used when the name or Internet

address

of the host to be looked up is given as the first argument.

The

optional second argument specifies the host name or address

of a name server.

</p>

<p>

Due to its arcane user interface and frequently inconsistent

behavior, we do not recommend the use of <span class="command"><strong>nslookup</strong></span>.

Use <span class="command"><strong>dig</strong></span> instead.

</p>

</dd>

</dl></div>

</div>

<div class="section">

<div class="titlepage"><div><div><h4 class="title">

<a name="admin_tools"></a>Administrative Tools</h4></div></div></div>

<p>

Administrative tools play an integral part in the management

of a server.

</p>

<div class="variablelist"><dl class="variablelist">

<dt>

<a name="named-checkconf"></a><span class="term"><span class="command"><strong>named-checkconf</strong></span></span>

</dt>

<dd>

<p>

The <span class="command"><strong>named-checkconf</strong></span> program

checks the syntax of a <code class="filename">named.conf</code> file.

</p>

<div class="cmdsynopsis"><p>

<code class="command">named-checkconf</code>

[-jvz]

[-t <em class="replaceable"><code>directory</code></em>]

[<em class="replaceable"><code>filename</code></em>]

</p></div>

</dd>

<dt>

<a name="named-checkzone"></a><span class="term"><span class="command"><strong>named-checkzone</strong></span></span>

</dt>

<dd>

<p>

The <span class="command"><strong>named-checkzone</strong></span> program

checks a master file for

syntax and consistency.

</p>

<div class="cmdsynopsis"><p>

<code class="command">named-checkzone</code>

[-djqvD]

[-c <em class="replaceable"><code>class</code></em>]

[-o <em class="replaceable"><code>output</code></em>]

[-t <em class="replaceable"><code>directory</code></em>]

[-w <em class="replaceable"><code>directory</code></em>]

[-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>]

[-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>]

[-W <em class="replaceable"><code>(ignore|warn)</code></em>]

<em class="replaceable"><code>zone</code></em>

[<em class="replaceable"><code>filename</code></em>]

</p></div>

</dd>

<dt>

<a name="named-compilezone"></a><span class="term"><span class="command"><strong>named-compilezone</strong></span></span>

</dt>

<dd>

<p>

Similar to <span class="command"><strong>named-checkzone,</strong></span> but

it always dumps the zone content to a specified file

(typically in a different format).

</p>

</dd>

<dt>

<a name="rndc"></a><span class="term"><span class="command"><strong>rndc</strong></span></span>

</dt>

<dd>

<p>

The remote name daemon control

(<span class="command"><strong>rndc</strong></span>) program allows the

system

administrator to control the operation of a name server.

Since <acronym class="acronym">BIND</acronym> 9.2, <span class="command"><strong>rndc</strong></span>

supports all the commands of the BIND 8 <span class="command"><strong>ndc</strong></span>

utility except <span class="command"><strong>ndc start</strong></span> and

<span class="command"><strong>ndc restart</strong></span>, which were also

not supported in <span class="command"><strong>ndc</strong></span>'s

channel mode.

If you run <span class="command"><strong>rndc</strong></span> without any

options

it will display a usage message as follows:

</p>

<div class="cmdsynopsis"><p>

<code class="command">rndc</code>

[-c <em class="replaceable"><code>config</code></em>]

[-s <em class="replaceable"><code>server</code></em>]

[-p <em class="replaceable"><code>port</code></em>]

[-y <em class="replaceable"><code>key</code></em>]

<em class="replaceable"><code>command</code></em>

[<em class="replaceable"><code>command</code></em>...]

</p></div>

<p>See <a class="xref" href="man.rndc.html" title="rndc"><span class="refentrytitle"><span class="application">rndc</span></span>(8)</a> for details of

the available <span class="command"><strong>rndc</strong></span> commands.

</p>

<p>

<span class="command"><strong>rndc</strong></span> requires a configuration file,

since all

communication with the server is authenticated with

digital signatures that rely on a shared secret, and

there is no way to provide that secret other than with a

configuration file. The default location for the

<span class="command"><strong>rndc</strong></span> configuration file is

<code class="filename">/etc/rndc.conf</code>, but an

alternate

location can be specified with the <code class="option">-c</code>

option. If the configuration file is not found,

<span class="command"><strong>rndc</strong></span> will also look in

<code class="filename">/etc/rndc.key</code> (or whatever

<code class="varname">sysconfdir</code> was defined when

the <acronym class="acronym">BIND</acronym> build was

configured).

The <code class="filename">rndc.key</code> file is

generated by

running <span class="command"><strong>rndc-confgen -a</strong></span> as

described in

<a class="xref" href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span class="command"><strong>controls</strong></span> Statement Definition and

Usage&#8221;</a>.

</p>

<p>

The format of the configuration file is similar to

that of <code class="filename">named.conf</code>, but

limited to

only four statements, the <span class="command"><strong>options</strong></span>,

<span class="command"><strong>key</strong></span>, <span class="command"><strong>server</strong></span> and

<span class="command"><strong>include</strong></span>

statements. These statements are what associate the

secret keys to the servers with which they are meant to

be shared. The order of statements is not

significant.

</p>

<p>

The <span class="command"><strong>options</strong></span> statement has

three clauses:

<span class="command"><strong>default-server</strong></span>, <span class="command"><strong>default-key</strong></span>,

and <span class="command"><strong>default-port</strong></span>.

<span class="command"><strong>default-server</strong></span> takes a

host name or address argument and represents the server

that will

be contacted if no <code class="option">-s</code>

option is provided on the command line.

<span class="command"><strong>default-key</strong></span> takes

the name of a key as its argument, as defined by a <span class="command"><strong>key</strong></span> statement.

<span class="command"><strong>default-port</strong></span> specifies the

port to which

<span class="command"><strong>rndc</strong></span> should connect if no

port is given on the command line or in a

<span class="command"><strong>server</strong></span> statement.

</p>

<p>

The <span class="command"><strong>key</strong></span> statement defines a

key to be used

by <span class="command"><strong>rndc</strong></span> when authenticating

with

<span class="command"><strong>named</strong></span>. Its syntax is

identical to the

<span class="command"><strong>key</strong></span> statement in <code class="filename">named.conf</code>.

The keyword <strong class="userinput"><code>key</code></strong> is

followed by a key name, which must be a valid

domain name, though it need not actually be hierarchical;

thus,

a string like "<strong class="userinput"><code>rndc_key</code></strong>" is a valid

name.

The <span class="command"><strong>key</strong></span> statement has two

clauses:

<span class="command"><strong>algorithm</strong></span> and <span class="command"><strong>secret</strong></span>.

While the configuration parser will accept any string as the

argument

to algorithm, currently only the strings

"<strong class="userinput"><code>hmac-md5</code></strong>",

"<strong class="userinput"><code>hmac-sha1</code></strong>",

"<strong class="userinput"><code>hmac-sha224</code></strong>",

"<strong class="userinput"><code>hmac-sha256</code></strong>",

"<strong class="userinput"><code>hmac-sha384</code></strong>"

and "<strong class="userinput"><code>hmac-sha512</code></strong>"

have any meaning. The secret is a base-64 encoded string

as specified in RFC 3548.

</p>

<p>

The <span class="command"><strong>server</strong></span> statement

associates a key

defined using the <span class="command"><strong>key</strong></span>

statement with a server.

The keyword <strong class="userinput"><code>server</code></strong> is followed by a

host name or address. The <span class="command"><strong>server</strong></span> statement

has two clauses: <span class="command"><strong>key</strong></span> and <span class="command"><strong>port</strong></span>.

The <span class="command"><strong>key</strong></span> clause specifies the

name of the key

to be used when communicating with this server, and the

<span class="command"><strong>port</strong></span> clause can be used to

specify the port <span class="command"><strong>rndc</strong></span> should

connect

to on the server.

</p>

<p>

A sample minimal configuration file is as follows:

</p>

<pre class="programlisting">

key rndc_key {

algorithm "hmac-sha256";

secret

"c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";

};

options {

default-server 127.0.0.1;

default-key rndc_key;

};

</pre>

<p>

This file, if installed as <code class="filename">/etc/rndc.conf</code>,

would allow the command:

</p>

<p>

<code class="prompt">$ </code><strong class="userinput"><code>rndc reload</code></strong>

</p>

<p>

to connect to 127.0.0.1 port 953 and cause the name server

to reload, if a name server on the local machine were

running with

following controls statements:

</p>

<pre class="programlisting">

controls {

inet 127.0.0.1

allow { localhost; } keys { rndc_key; };

};

</pre>

<p>

and it had an identical key statement for

<code class="literal">rndc_key</code>.

</p>

<p>

Running the <span class="command"><strong>rndc-confgen</strong></span>

program will

conveniently create a <code class="filename">rndc.conf</code>

file for you, and also display the

corresponding <span class="command"><strong>controls</strong></span>

statement that you need to

add to <code class="filename">named.conf</code>.

Alternatively,

you can run <span class="command"><strong>rndc-confgen -a</strong></span>

to set up

a <code class="filename">rndc.key</code> file and not

modify

<code class="filename">named.conf</code> at all.

</p>

</dd>

</dl></div>

</div>

</div>

<div class="section">

<div class="titlepage"><div><div><h3 class="title">

<a name="signals"></a>Signals</h3></div></div></div>

<p>

Certain UNIX signals cause the name server to take specific

actions, as described in the following table. These signals can

be sent using the <span class="command"><strong>kill</strong></span> command.

</p>

<div class="informaltable">

<table border="1">

<colgroup>

<col width="1.125in" class="1">

<col width="4.000in" class="2">

</colgroup>

<tbody>

<tr>

<td>

<p><span class="command"><strong>SIGHUP</strong></span></p>

</td>

<td>

<p>

Causes the server to read <code class="filename">named.conf</code> and

reload the database.

</p>

</td>

</tr>

<tr>

<td>

<p><span class="command"><strong>SIGTERM</strong></span></p>

</td>

<td>

<p>

Causes the server to clean up and exit.

</p>

</td>

</tr>

<tr>

<td>

<p><span class="command"><strong>SIGINT</strong></span></p>

</td>

<td>

<p>

Causes the server to clean up and exit.

</p>

</td>

</tr>

</tbody>

</table>

</div>

</div>

</div>

</div>

<div class="navfooter">

<hr>

<table width="100%" summary="Navigation footer">

<tr>

<td width="40%" align="left">

<a accesskey="p" href="Bv9ARM.ch02.html">Prev</a>�</td>

<td width="20%" align="center">�</td>

<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch04.html">Next</a>

</td>

</tr>

<tr>

<td width="40%" align="left" valign="top">Chapter�2.�<acronym class="acronym">BIND</acronym> Resource Requirements�</td>

<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>

<td width="40%" align="right" valign="top">�Chapter�4.�Advanced DNS Features</td>

</tr>

</table>

</div>

<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2</p>

</body>

</html>